Malware - PC Crashes / Browser redirects

[sanjupan]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5765

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/14/2011 8:48:02 PM
mbam-log-2011-02-14 (20-48-02).txt

Scan type: Quick scan
Objects scanned: 186236
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[sanjupan]

Step 4 | Let's perform an ESET Online Scan
============
Hi
How much time does this take ?

Its been 60 mins and its still scanning one of the .iso installation files by Microsoft.

Please advise
Thanks and regards
Sanjay

 

[Blottedisk]

Hi Sanjay,


Yes, Online Scanners like this often take several hours to complete. I would suggest you run the scan at night, and if possible, let it running the rest of the day. It's important that you provide me with it's results.


The rest of the logs are looking fine. How're your browser running?

 

[sanjupan]

Thanks.
Can I disconnect my internet when its scanning?

 

[sanjupan]

ESET scan log

C:\Qoobox\Quarantine\C\Users\Sanjana\AppData\Local\ayetaciw.dll.vir a variant of Win32/Cimag.FT trojan
C:\Users\Public\Documents\Server\hlp.dat probably a variant of Win32/Agent.JCVPCMR trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\43120580-37e6314a Java/TrojanDownloader.Agent.NBK trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\653a8b4a-2482c0d8 probably a variant of Win32/Agent.FPEXZHL trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\7a087e0b-340f2d40 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-634e45ea multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\308c10c-46579c39 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\6b2b5d8c-41e726b4 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\15397e0d-7f42dd1c a variant of Java/TrojanDownloader.OpenStream.NAY trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\48173611-6b28a619 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\16f80713-5915a4a4 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\8cc76d3-57b25d78 a variant of Java/Exploit.Agent.NAL trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\5f546d95-515d52fd multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\160ba957-17b0d7ca multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\42f2dad8-6a223b6f probably a variant of Win32/Agent.RPSVWU trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\7b7b6759-76a96a10 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\53c8c5da-44d9b878 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\48c654db-5a6528b1 probably a variant of Win32/Agent.HRYTTOE trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\20d825dc-71923437 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\26d395dc-1903ca14 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1a42ef06 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\743fee9f-74daa67c multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-2004b95f multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\35d18421-58060da7 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\187b0ca2-5a475499 probably a variant of Win32/Agent.FPEXZHL trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\43ddf822-35b7d5ff multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\41e8aee3-407cc926 probably a variant of Win32/Agent.HRYTTOE trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\170f8765-4b4d12e9 probably a variant of Win32/Agent.HRYTTOE trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\546b8c27-4a2b8e78 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-2bc9dd3f Java/TrojanDownloader.Agent.NBL trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\5ebca369-3def0ec0 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\34a3fab-62c16d5b multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\752509ab-2596151f probably a variant of Win32/Agent.HRYTTOE trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\f6e936c-1489abc4 a variant of OSX/Exploit.Smid.C trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\4084a7b0-1835644b multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-40f8015a probably a variant of Win32/Agent.DYXWUMY trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\6a183b45-16a9ac88 probably a variant of Win32/Agent.HRYTTOE trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\425fc2f3-3663729c probably a variant of Win32/Agent.RPSVWU trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\31bba1f4-7ba92068 probably a variant of Win32/Agent.DYXWUMY trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\7971bb76-26972c50 multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\1192d4f9-74dea01b multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\fd18ba-48640a7b multiple threats
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\23146dfe-1e91f3dd a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\43e0867f-2eb57fe0 Java/TrojanDownloader.Agent.NBL trojan
C:\Users\Sanjana\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-18f911d0 Java/TrojanDownloader.Agent.NBK trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\4812d38c-56443801 multiple threats
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\44d775d7-1278bf7f multiple threats
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\1131b71b-28fe058d a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\3c257486-775cb703 multiple threats

 

[Blottedisk]

Hi there,


We are almost done. How's the computer running now?


Please follow these steps:


Step 1 | Please go to the following site to scan a file: Virus Total

• Click on Browse, and upload the following file for analysis:
  
  • C:\Users\Public\Documents\Server\hlp.dat
• Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
• If it says already scanned -- click "reanalyze now"
• Please post the results in your next reply.

Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components
and update.

• Click on the following link to visit java website:
  Java Runtime Environment (JRE)
  6
  
• Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)".
• Click the "Download" button to the right column (JRE).
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I
  agree to the Java SE Runtime Environment 6 with JavaFX License
  Agreement". Click on Continue. The page will refresh.
• Click on the link to download Windows Offline Installation
  and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Now go to Start > Settings > Control Panel, double-click on
  Add/Remove Programs and remove all older
  versions of Java.
• Check (highlight) any item with Java Runtime Environment
  (JRE or J2SE or Java(TM) 6) in the name [Java(TM) 6 Update 21 and Java(TM) 6 Update 3.]
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the recently downloaded java
  installer icon to install the newest version.

• After the install is complete, go into the Control Panel
  (using Classic View) and double-click the Java Icon. (looks like a
  coffee cup)
  • On the General tab, under Temporary Internet Files, click the
    Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave
    BOTH Checked
    • Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from
    the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

 

[sanjupan]

When I browse and click on "Send File" it does not do anything.
The status bar in IE shows "Error on page" message. I clicked on details i get below message.

==============================================

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; InfoPath.3)
Timestamp: Fri, 18 Feb 2011 03:55:02 UTC

Message: 'tagName' is null or not an object
Line: 73
Char: 4
Code: 0
URI: http://www.virustotal.com/

===============================================

 

[Blottedisk]

Then please upload the file to Jotti:

Go here: http://virusscan.jotti.org /

• When the jotti page has finished loading, click the "Browse" button and navigate to the following file and click Submit:
  
  • C:\Users\Public\Documents\Server\hlp.dat
• Copy the results and paste them here

 

[sanjupan]

Results

http://virusscan.jotti.org/en/scanresult/c22b8e8e9a9fd237d8b65ed602639a24653d3229

2011-02-19 Found nothing 2011-02-19 Found nothing
2011-02-18 Found nothing 2011-02-18 Trojan.Win32.Bamital
2011-02-18 Found nothing Scanning, please wait...
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-19 Mal/Bamital-A
2011-02-19 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-19 Found nothing

 

[sanjupan]

http://virusscan.jotti.org/en/scanresult/c22b8e8e9a9fd237d8b65ed602639a24653d3229


2011-02-19 Found nothing 2011-02-19 Found nothing
2011-02-18 Found nothing 2011-02-18 Trojan.Win32.Bamital
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-19 Mal/Bamital-A
2011-02-19 Found nothing 2011-02-18 Found nothing
2011-02-18 Found nothing 2011-02-18 Found nothing
2011-02-19 Found nothing

 

[sanjupan]

For Step 2....The
"Java Runtime Environment (JRE) 6" link is not working.
Any alternate ?

 

[Blottedisk]

My apologies, here is the link again:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

[sanjupan]

Thanks.
On this update page
There two options with "JDK 6 Update 23" -
JDK 6 Update 23 with Java EE
and
JDK 6 Update 23 with NetBeans 6.9.1

There is also an option "JDK 6 Update 24 with JavaFX 1.3.1 SDK" .

which one should I choose ?

 

[Blottedisk]

Java has been updated in the meanwhile. You should scroll down to and download "JDK 6 Update 24 (JDK or JRE)" now.

 

[sanjupan]

Completed Step 2. of installing JDK.
Please advise on the next step.
Thanks.

 

[Blottedisk]

Hi Sanjay,


Your logs look ok, so we are almost done. How is your computer running now? Are you still experiencing any redirects?


I notice you do not have an Antivirus, to clean you without one would be a waste of time as you will get re-infected. Choose, download and install only ONE of the following applications:

• Avast - http://www.avast.com/eng/download-avast-home.html
• Antivir - http://www.free-av.com/

I don't see any evidence of a 3rd Party Firewall installed on your computer either. Can you please tell me if you have one installed, and verify that it is active.

1. If you have Windows Firewall enabled, that´s ok.
2. If you do not have a Firewall installed, please go to one of the links below and download and install ONLY one.

• Comodo - http://www.personalfirewall.comodo.com/
• Outpost Firewall FREE - http://www.agnitum.com/products/outpostfree/

 

[Blottedisk]

Hi there?

 

[Cypher]

Since this issue appears to be resolved ... this Topic has been closed.
Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D!